Last updated 2026-07-09

TL;DR
Under 16 CFR 310.5 of the FTC's Telemarketing Sales Rule, telemarketers and sellers must keep six categories of records for 24 months from the date each record is created or last used, whichever is later. The categories include advertising materials, prize recipient names, customer lists, employee records, verifiable authorizations for charges, and every script. The FTC can demand any of them during an investigation.
What does 16 CFR 310.5 actually require?
16 CFR 310.5 is the recordkeeping section of the FTC's Telemarketing Sales Rule (TSR). It tells sellers and telemarketers which records to keep and for how long. The short answer is 24 months, measured from the date a record is created or last used, whichever comes later. [1]
The rule names six categories of records. Each one exists for a different reason, and knowing which bucket a document falls into is the first step toward a retention policy that survives an FTC demand.
Here are the six categories under 16 CFR 310.5(a):
1. Advertising and promotional materials used in any telemarketing campaign. 2. Information about prize recipients, including their names and addresses. 3. Sales records, meaning the names and last-known addresses of all customers. 4. Employee records, specifically the names and last-known addresses of all current and former employees involved in telemarketing. 5. All verifiable authorizations or records of express informed consent or express agreement required to be provided or received under the TSR. 6. All scripts, outlines, or presentation materials used by telephone salespeople.
If you run an outbound sales team, categories 3, 5, and 6 are where small teams stumble. Customer lists are obvious. The consent records and the scripts catch people off guard. Many teams treat scripts as throwaway drafts and delete them the day a campaign wraps. Under 310.5, that deletion is a violation.
How long do you have to keep telemarketing records under the TSR?
The retention period is 24 months. 16 CFR 310.5(a) requires that records be kept for 24 months from the date the record is created, or from the date it is last used, whichever is later. [1]
That "whichever is later" clause does real work. A script you wrote in January 2023 but ran through December 2024 does not expire in January 2025. It stays on the shelf until December 2026, a full 24 months after its last use.
For consent records tied to a customer relationship, the clock usually starts when the authorization was last relied on to place a call or send a message. Say you made a sales call in October 2024 using a written authorization your prospect signed in 2022. That authorization has to survive until at least October 2026.
Some teams assume that because the TCPA (47 U.S.C. 227) is the headline law for calls and texts, the TSR recordkeeping rules are optional or secondary. They are neither. The TSR is a standalone federal requirement enforced by the FTC, and violations can run up to $51,744 per violation as of 2024, adjusted for inflation under the Federal Civil Penalties Inflation Adjustment Act. [2][12] The TCPA and TSR overlap on consent but split on recordkeeping mechanics, so you have to satisfy both.
Who does 16 CFR 310.5 apply to?
The rule binds two parties: sellers and telemarketers, both defined in 16 CFR 310.2. [1]
A "seller" is any person who provides goods or services to a customer in exchange for payment in a telemarketing transaction, directly or through an intermediary. A "telemarketer" is any person who, in connection with telemarketing, initiates or receives telephone calls to or from a customer or donor.
If your company makes the calls and closes the sale, you are both. If you are a lead generation firm passing leads to a downstream seller, you are almost certainly a telemarketer under the rule, and the recordkeeping obligation lands on you directly.
B2B exemptions exist, but they are narrower than most people assume. Calls to businesses about nondurable office supplies sit outside many TSR protections, yet the recordkeeping rules of 310.5 still cover most covered telemarketing activity. If any meaningful slice of your calls reaches consumers, you are in scope.
Third-party vendors are not a clean escape either. The FTC's position is that a seller who hires a telemarketer stays responsible for that telemarketer's compliance, recordkeeping included. Your contract with an outsourced call center should spell out which party holds which records and for how long. Get it in writing before the first dial.
What specific records must be retained under each category?
Here is what each category means in day-to-day operations.
Advertising and promotional materials. Every version of every ad or mailer that drove inbound calls, plus every outbound script or leave-behind. Save PDFs, screenshots of digital ads, email templates, and direct mail proofs. Version control matters. If you updated a script in March, keep the March version and the prior version separately, each stamped with dates.
Prize recipient information. If you run sweepstakes or prize promotions tied to your telemarketing, keep the names and addresses of winners. Most small outbound teams never run prize promotions, so this one is often not applicable.
Customer records. Names and last-known mailing addresses of every customer. That is the floor. In practice, capture the date of each transaction and the product sold too, because that detail is what lets you rebuild a timeline during an investigation.
Employee records. Names and last-known addresses of everyone involved in telemarketing, contractors and remote agents included. When an agent leaves, you cannot delete their record. Keep it for 24 months from their last day of telemarketing work.
Express consent and authorization records. This is the big one. Under 16 CFR 310.5(a)(5), you must keep every verifiable authorization or record of express informed consent or express agreement required under the TSR. [1] For any charge placed to a consumer's account, you need written authorization or a recorded verbal agreement. Those recordings and documents live in your retention system for 24 months.
Scripts and presentation materials. Every script, talk track, or structured outline used on a call. That includes email-to-call sequences when the email is part of the pitch.
| Record Category | Retention Period | Clock Starts | |
|---|---|---|---|
| Advertising materials | 24 months | Date last used | |
| Prize recipient info | 24 months | Date created | |
| Customer records | 24 months | Date last used | |
| Employee records | 24 months | Date of last telemarketing activity | |
| Consent/authorization records | 24 months | Date last relied upon | |
| Scripts and presentations | 24 months | Date last used | [1] |
How does the FTC actually inspect or audit these records?
The FTC rarely shows up unannounced. Investigations usually open with a civil investigative demand (CID), the agency's version of a subpoena. A CID can demand any records covered by 310.5, and more. You typically get 30 days to respond, though the FTC sometimes grants extensions.
By the time a CID lands, the scramble to find two-year-old consent recordings or old script versions is already a losing game. Teams that never built a real document system tend to discover that records lived in a sales rep's personal Dropbox, or that call recordings vanished after 90 days because nobody touched the VoIP provider's default retention setting.
The FTC also fields complaints from consumers, state attorneys general, and other agencies. A pattern of consumer complaints can trigger an investigation with no specific tip about recordkeeping at all. Missing records then become aggravating factors that push penalty exposure higher.
The agency does not have to prove that missing records caused consumer harm. The failure to keep them is itself the violation. [4]
If you want to see what a real CID looks like, the FTC publishes many enforcement documents on its site. Reading one is the fastest way to grasp exactly what an investigator will ask for.
What is the penalty for violating 16 CFR 310.5?
Each TSR violation, including each failure to keep a required record, can carry a civil penalty of up to $51,744 as of 2024. [2] That figure is adjusted every year under the Federal Civil Penalties Inflation Adjustment Act. [12]
The math turns ugly fast. If the FTC finds you ran 12 campaigns without keeping advertising materials, that is potentially 12 separate violations. The agency has discretion over how it counts, and in practice settlement amounts swing on the company's ability to pay, its cooperation, and whether real consumer harm sits underneath.
Recordkeeping violations alone rarely produce the biggest penalties. They usually appear next to substantive TSR violations (deceptive calls, illegal charges) and serve as proof that the company had no compliance culture at all. That pairing is what drives multi-million-dollar judgments.
For a small operation, the sharper risk is quieter. Missing records make it nearly impossible to defend a consumer complaint. If someone claims you called without consent and you cannot produce the consent record, your easiest defense is gone.
How do TSR recordkeeping rules interact with TCPA consent requirements?
The TCPA (47 U.S.C. 227) and the TSR both care about consent, but they run on different legal frameworks with different enforcers. [5]
The TCPA is enforced by the FCC and through private lawsuits. The TSR is enforced by the FTC and state attorneys general. A single call to a consumer can trigger duties under both at once.
On consent documentation, the FCC's TCPA rules require that consent for autodialed or prerecorded calls to cell phones be in writing and carry specific disclosures. The TSR requires that verifiable authorizations for charges be kept for 24 months. These are not the same document, though they often overlap.
The practical move is to keep one consent record that satisfies both. A written consent that captures the date, the consumer's phone number, the specific calling entity, the product or service category, and the delivery method (web form, paper, verbal recording) covers most of what both regimes want to see.
For cold calling teams building consent workflows, the 24-month retention rule under 310.5 is the floor, not the ceiling. Private TCPA litigation strategy and some state laws push toward keeping records up to four years, because TCPA claims can be filed up to four years after the violation under 28 U.S.C. 1658. [6] When in doubt, keep longer.
The FCC's one-to-one consent rule increased the documentation burden by requiring consent for each specific calling entity rather than a category of sellers. That change means your consent records now need to name your company, more than the product category. [12]
What systems should you use to store telemarketing records compliantly?
The TSR does not dictate a storage format. Paper is legally fine. So is a cloud folder, a CRM, or a dedicated compliance platform. What matters is that records stay organized, retrievable on short notice, and safe from accidental deletion.
Here is what works for teams with fewer than 50 agents.
For call recordings, set your VoIP or dialer to keep recordings for at least 24 months. Most platforms default to 90 days or less. Change that setting the day you read this. Confirm it in writing with your vendor so you have documentation of the instruction.
For consent records, store them in a system that logs the timestamp, the source URL for web opt-ins, and the consumer's phone number in a searchable field. A spreadsheet can technically work. A CRM with a dedicated consent field and clean export is more defensible.
For scripts and advertising materials, use version-controlled folders. Name files with the campaign and date range ("Q1-2024-outbound-script-v2.pdf") and never overwrite an old version. A simple Google Drive or SharePoint structure with a written retention policy attached to it is enough.
The LeadCompliant compliance kit includes a recordkeeping checklist built around the six 310.5 categories, which is a fine starting point if you want something ready-made. Beyond that, read the FTC's own TSR compliance guide cover to cover. [8]
For teams running AI cold calling or automated dialers, records get messier because call metadata (timestamps, CLID data, disposition codes) is itself part of what you may need to produce. Make sure your dialer exports that metadata in a format you can still read two years from now.
Do state laws require longer retention periods than the federal TSR?
Some do. The federal 24-month floor does not preempt stricter state telemarketing laws. Several states run their own telemarketing acts with recordkeeping provisions that match or exceed the TSR.
Florida's Telemarketing Act and California's consumer protection regime both carry requirements that can stretch effective retention obligations depending on the transaction type. [9][5] California has a four-year statute of limitations on many consumer protection claims, which creates a real reason to hold records for four years even when the state's telemarketing rules only demand two.
For teams calling into multiple states, the safe path is to retain records for the longest period any state you call into requires. If you call California, keep records four years. If you never call California, the federal 24-month rule is your baseline.
State attorneys general can enforce the TSR directly under the Telemarketing and Consumer Fraud and Abuse Prevention Act, which authorizes state AGs to bring civil actions for TSR violations. [11] A state enforcement action can demand your 310.5 records exactly the way the FTC can.
What happens if records are lost, corrupted, or accidentally deleted?
The TSR has no safe harbor for accidental deletion. If you cannot produce records the FTC demands, the consequence is the same as never creating them. The FTC may infer that the missing records would have shown a violation.
Documented good-faith effort still matters in settlement talks. A written retention policy, evidence that you told your vendor to keep recordings, and logs showing the deletion was a technical error rather than a purge put you in a far better spot than a company with nothing on paper.
Backups are not optional here. At a minimum, quarterly exports of call logs and consent records to a separate location give you a recovery path when your primary system fails. Cloud storage with versioning turned on (Google Drive, AWS S3 with versioning, Backblaze B2) gives you point-in-time recovery for very little money.
If a vendor deletion costs you records, your contract with that vendor should assign liability. Without a data retention clause, you are unlikely to recover a dime from the vendor while still facing FTC exposure yourself.
How should you document your 310.5 compliance program internally?
The best internal documentation is a written records retention policy that names 16 CFR 310.5, lists the six categories, states where each type lives, names who owns each category, and sets a review schedule.
That one document does three jobs. It makes the expectation explicit so employees cannot claim ignorance. It builds a paper trail that shows the FTC you took compliance seriously before any investigation opened. And it hands you a checklist to audit yourself every year.
A policy is worthless without enforcement. Name one person, even at a five-person company, as the owner of recordkeeping. That person runs a quarterly check: pull three random consent records and confirm they are retrievable, verify the call recording settings have not drifted, and confirm that departed employees' records are still intact.
For cold calling scripts specifically, build a handoff at the end of every campaign. The sales manager or compliance owner archives the final version of each script to the retention folder before it comes out of active use.
The LeadCompliant free TCPA tools include a DNC scrubbing checker and a consent verification tool that slot into pre-call workflows. Automated tools create timestamped logs of your compliance checks, and those logs are themselves useful records to retain under a 310.5 program.
Frequently asked questions
What is the exact retention period under 16 CFR 310.5?
16 CFR 310.5(a) requires sellers and telemarketers to keep records for 24 months from the date each record is created or last used, whichever is later. This covers all six categories: advertising materials, prize recipient information, customer records, employee records, consent and authorization records, and scripts. The "last used" clause means active campaigns extend the clock well past their launch date.
Does the 24-month rule apply to call recordings?
Call recordings that document verifiable consumer authorizations or express informed consent fall under 16 CFR 310.5(a)(5) and must be kept for 24 months. Routine recordings that do not document consent are not explicitly named in 310.5, but the FTC requests them often during investigations and they help your defense. The safest approach is to keep all call recordings for at least 24 months.
Who enforces 16 CFR 310.5 recordkeeping violations?
The FTC is the primary enforcer. State attorneys general can also enforce the Telemarketing Sales Rule directly under the Telemarketing and Consumer Fraud and Abuse Prevention Act, which authorizes civil actions in federal court. A consumer cannot sue directly for a TSR violation, but missing records can sink your defense in a parallel private TCPA lawsuit.
Do the TSR recordkeeping rules apply to inbound calls?
Some inbound calls are covered, specifically those responding to an outbound telemarketing ad or direct mail solicitation. If your inbound calls come from outbound marketing, the TSR likely applies to that campaign and its records. Purely organic inbound calls with no connection to a marketing campaign generally fall outside TSR coverage.
Are there exemptions to the 310.5 recordkeeping requirements?
There is no blanket small-business exemption from 310.5. Certain transaction types are exempt from other parts of the TSR (business-to-business calls for nondurable goods, some charitable solicitations), but even exempt callers can carry recordkeeping obligations depending on how broadly their campaigns reach consumers. When in doubt, treat the 24-month rule as universal.
What records do I need to keep for DNC compliance under the TSR?
Under 16 CFR 310.4(b)(3)(iv), sellers must maintain a written DNC compliance policy and honor requests. DNC request records are separate from the 310.5 retention categories, but they are part of the broader TSR compliance record. Keep both the DNC policy document and individual suppression requests for at least five years to cover the obligation cleanly.
Does 16 CFR 310.5 apply to text message marketing?
The TSR covers telephone solicitations, and the FTC's position is that text messages sent for marketing can constitute telemarketing under the rule. If your SMS campaigns promote goods or services and involve payment, treat them as subject to TSR recordkeeping. That means retaining consent records for SMS opt-ins, message content versions, and customer lists for 24 months.
Can I store telemarketing records in the cloud to satisfy 310.5?
Yes. The TSR names no particular storage format. Cloud storage is acceptable as long as records stay accessible and retrievable on reasonable notice. The main risk with cloud storage is unintentional auto-deletion or vendor data loss. Turn on versioning, confirm your retention settings with the vendor in writing, and keep a secondary backup against accidental deletion.
What is the penalty for failing to keep records under the Telemarketing Sales Rule?
Civil penalties can reach $51,744 per violation as of 2024, adjusted annually under the Federal Civil Penalties Inflation Adjustment Act. Each distinct recordkeeping failure can count as a separate violation. In practice, pure recordkeeping violations are often bundled with other TSR charges, and missing records also erase your primary defense against allegations of improper calling.
How do I handle records when I switch to a new CRM or dialer?
Before migrating, export a complete copy of all 310.5 records from the old system. Store the export in a format you can read without the old software (CSV, PDF, MP3 or WAV for recordings). Verify the export is complete before you decommission the old system. Document the migration date and what moved. Do not count on the old vendor to keep your data accessible after the contract ends.
Does the 24-month retention period under 310.5 conflict with state data privacy laws requiring data deletion?
This is a real tension. California's privacy law gives consumers the right to request deletion of personal data, but it includes exceptions for records a business must maintain by law. A 310.5 retention obligation is a legal requirement that can support denying a deletion request for the specific records covered. Document the legal basis for retention carefully when you deny a request.
Are third-party lead generators subject to 16 CFR 310.5?
If a lead generator initiates or receives telemarketing calls, it qualifies as a telemarketer under 16 CFR 310.2 and the recordkeeping rules apply directly. Even a lead generator that only supplies names to a downstream seller can share compliance responsibility, because the FTC has signaled that entities materially involved in a telemarketing chain carry duties. Lead generators should keep their own consent documentation for 24 months.
How does 310.5 interact with the FCC's one-to-one consent rule?
The FCC's one-to-one consent rule requires that prior express written consent for autodialed marketing calls name the specific calling entity. That raises the bar on what a compliant consent record looks like. Under 310.5, you still keep those records for 24 months, but the record itself now has to show your company's name rather than a generic consent to receive marketing calls.
Sources
- FTC, Code of Federal Regulations 16 CFR Part 310 (Telemarketing Sales Rule): 16 CFR 310.5(a) requires sellers and telemarketers to retain six categories of records for 24 months from the date each record is created or last used, whichever is later.
- FTC, Civil Penalty Inflation Adjustments (Federal Register annual rule): The maximum civil penalty per TSR violation is $51,744 as of 2024.
- FTC, Cases and Proceedings: The FTC has cited TSR recordkeeping failures as violations independent of proof of consumer harm in enforcement actions.
- U.S. Congress, Telephone Consumer Protection Act (47 U.S.C. 227): 47 U.S.C. 227 governs consent requirements for autodialed and prerecorded calls and is enforced separately from the FTC's Telemarketing Sales Rule.
- U.S. Congress, 28 U.S.C. 1658 (statute of limitations for federal civil claims): 28 U.S.C. 1658 provides a four-year statute of limitations for civil claims arising under federal statutes enacted after December 1, 1990, including the TCPA.
- FTC, Complying with the Telemarketing Sales Rule (Business Guide): The FTC's compliance guide for the Telemarketing Sales Rule provides practical guidance on the recordkeeping requirements of 16 CFR 310.5.
- Florida Legislature, Florida Telemarketing Act (Chapter 501, Part IV, Florida Statutes): Florida's Telemarketing Act imposes state-level recordkeeping and compliance requirements on telemarketers operating in Florida.
- U.S. Congress, Telemarketing and Consumer Fraud and Abuse Prevention Act (15 U.S.C. 6101 et seq.): The Telemarketing and Consumer Fraud and Abuse Prevention Act authorizes state attorneys general to bring civil actions to enforce the Telemarketing Sales Rule.
- FTC, Telemarketing Sales Rule (rule page and amendments): The FTC's TSR page consolidates the current rule text, penalty amounts, and amendments affecting sellers, telemarketers, and recordkeeping obligations.